[00:18.440 --> 00:21.900]  Hawkeye Dank has been pretty active over the last while.
[00:21.960 --> 00:23.300]  It sure has.
[00:23.420 --> 00:24.840]  That looks like we're in.
[00:26.240 --> 00:29.320]  I haven't seen it yet, but I'll transition us live.
[00:31.950 --> 00:33.470]  There it is.
[00:33.490 --> 00:34.650]  Alrighty.
[00:37.600 --> 00:40.780]  Okay, thank you everybody for coming along.
[00:40.780 --> 00:48.060]  This is the Q&A portion for exploiting keyspace vulnerabilities in the physical world.
[00:48.060 --> 00:51.560]  Your main goon here is going to be Pasties.
[00:51.560 --> 00:52.760]  This is Fallible.
[00:53.880 --> 00:57.460]  And thank you, Bill Graydon, for coming to join us today.
[00:57.560 --> 01:00.580]  Bill, could you tell us a little bit about yourself before we get started?
[01:01.920 --> 01:03.220]  Yeah, absolutely.
[01:03.660 --> 01:06.120]  So, my name is Bill, as you know.
[01:07.140 --> 01:09.100]  This is my second DEF CON.
[01:09.280 --> 01:13.220]  I actually started out last year as both a main track speaker and a village lead,
[01:13.220 --> 01:20.660]  founding and running the Lock Bypass Village, which I'm helping out with this year as well in the online forum.
[01:21.240 --> 01:26.880]  In my non-hacker life, I worked for a company called GGR Security,
[01:26.880 --> 01:34.120]  doing physical security consulting, audits, and a number of related services in that regard.
[01:34.120 --> 01:42.440]  So, sort of the very flashy aspect of that job that is highly applicable to the DEF CON environment is physical penetration tests.
[01:42.440 --> 01:46.700]  With which some of these things that I talk about fit into.
[01:47.940 --> 01:49.140]  Excellent.
[01:51.400 --> 01:52.720]  Go ahead.
[01:52.720 --> 01:55.680]  Yeah, we're seeing a couple of questions come in right now.
[01:56.500 --> 02:01.200]  Well, we have one question about, have you ever created a bump key?
[02:01.200 --> 02:06.640]  Another one is your opinions on the disk style locks.
[02:07.020 --> 02:11.440]  So, some general questions about different types of locks right now.
[02:12.200 --> 02:17.000]  You're welcome to take a stab at those, and we'll wait for a few more talks to come in.
[02:17.660 --> 02:24.380]  So, in terms of creating the bump key, I've created hundreds, possibly thousands of them.
[02:24.560 --> 02:31.100]  Yeah, I mean that video that I showed at the very start of my talk with how keys actually get originated,
[02:31.100 --> 02:37.740]  all you have to do to make a bump key is that cutter wheel that's taking a byte out of the key at particular positions,
[02:37.740 --> 02:45.020]  you just take that all the way down to the bottom position and bend some, and you do that across all the spaces,
[02:45.020 --> 02:47.300]  and that'll do it for you.
[02:47.480 --> 02:54.840]  So yeah, I've absolutely done that for both regular systems as well as high security ones like Medeco.
[02:56.300 --> 02:59.700]  So, sort of along the lines with your talk,
[02:59.700 --> 03:06.240]  when you got to the point where you were like narrowing it down to like the last like 10 or 18 keys,
[03:06.240 --> 03:09.640]  is it possible to make like a targeted bump key that would just be more effective?
[03:09.980 --> 03:12.660]  Just like dealing with all of those all at once?
[03:13.140 --> 03:17.220]  That is an incredible question, and the answer is absolutely yes.
[03:17.440 --> 03:26.660]  What a targeted bump key would look like is effectively the lowest cuts that are present in any of those keys in your narrowed down key space.
[03:26.960 --> 03:32.440]  And so in fact, this is something that's been known to locksmiths for decades,
[03:32.440 --> 03:35.060]  actually the possibility to do something like that.
[03:35.060 --> 03:38.940]  So, I didn't have time to talk about a lot of this in the talk,
[03:38.940 --> 03:45.180]  but one aspect is I talked a bit about how you want your grand master key to be one cut in the highest position,
[03:45.180 --> 03:48.200]  so that none of the change keys under it can be filed down.
[03:48.200 --> 03:52.420]  You also, in many cases, want it to have one cut in the lowest position.
[03:52.480 --> 03:59.060]  And the reason for that is if there's any of your change keys that are lower than your master key in all positions,
[03:59.060 --> 04:04.400]  then that change key will act as a bump key that will work in every lock on that system
[04:04.400 --> 04:09.660]  and can possibly be jiggled around and bump those pins all up to the master shear lines.
[04:11.740 --> 04:16.420]  So yeah, it's a great question and that's how you do it.
[04:17.140 --> 04:24.340]  And the next question, which I kind of interrupted there, was what are your opinions on disk style locks?
[04:24.380 --> 04:27.740]  Apparently storage locations hate them because they actually have to be cut off.
[04:29.040 --> 04:30.860]  Disk detainer type locks?
[04:32.540 --> 04:40.280]  So I'm looking at this question now. I'm not entirely sure what it means with how they have to be cut off.
[04:40.660 --> 04:45.720]  In terms of a storage location, like if someone needs their locks removed,
[04:45.720 --> 04:49.800]  I guess what the question is getting at is that maybe locksmiths are able to pick the other types of locks,
[04:49.800 --> 04:53.880]  but not the disk detainer locks. That effectively comes down to the skill level of the locksmith.
[04:53.880 --> 04:56.520]  Disk detainer locks can be picked just like any others.
[04:57.240 --> 05:02.680]  They're a much more specialized skill set to do and they require more specialized tools to do.
[05:03.160 --> 05:05.980]  And the good ones are harder.
[05:06.620 --> 05:13.560]  So if you've got an Ablet ProTek on there, there's no verified, documented picking success with those.
[05:13.560 --> 05:17.600]  So in that case, then yeah, cutting them off is your only option,
[05:17.600 --> 05:20.400]  which for an Ablet ProTek is also going to be a hell of a job.
[05:21.180 --> 05:26.640]  So I'm not entirely sure what the question is getting at, but I think that pretty well covers it.
[05:26.640 --> 05:27.640]  More than likely.
[05:29.340 --> 05:38.220]  I always enjoy when people come and give us more of the in-depth side of physical security stuff for DEF CON talks,
[05:38.220 --> 05:41.520]  and I appreciate you coming in and presenting that material.
[05:41.520 --> 05:55.060]  So as you're going through, you are explaining things from a bypass direction, at least a lot more bypass this year, right?
[05:55.060 --> 06:00.060]  You're not approaching things from the lock picking side.
[06:00.060 --> 06:10.920]  So how did you find yourself in the direction of the bypass instead of what seems to be more in vogue with the hacking community of the single pin picking?
[06:12.120 --> 06:13.820]  That's a great question.
[06:13.820 --> 06:24.960]  So with bypass, it's the sort of thing that in my anecdotal experience, at least, there's a lot less literature out there about those particular techniques.
[06:24.960 --> 06:32.340]  You've got a whole bunch of great talks at various conferences about them, but nothing super formalized.
[06:32.340 --> 06:37.700]  There's a lot in that field that really is yet to be discovered or potentially yet to be published.
[06:38.220 --> 06:50.200]  Since, as I mentioned in some of my other talks with Bypass Village, lock bypassing has traditionally been the domain of criminals and of classified materials,
[06:50.200 --> 06:52.480]  both of which tend not to get published.
[06:53.340 --> 07:05.940]  Locksmiths as well do it, but even still, the locksmithing industry is a very tight, tribal knowledge, apprenticeship-based type industry where they don't publish that sort of thing.
[07:05.940 --> 07:12.900]  So that's, I think, a large part of why the hacker community has not gotten into it nearly as much lately, or until lately.
[07:13.660 --> 07:19.500]  From a personal perspective as well, I have never been a very good lock picker.
[07:19.500 --> 07:22.480]  I understand the theory inside and out, but I just can't do it.
[07:22.660 --> 07:25.420]  And that's in a large part because of a fine motor disability that I have.
[07:25.420 --> 07:30.180]  So it's like, you know, I gotta go find something else that takes a bit more core skills.
[07:30.780 --> 07:32.480]  And so lock bypass is part of that.
[07:32.480 --> 07:39.820]  And then having founded and run the Lock Bypass Village is like, you jump headlong into it, you can't get out once you're running a village.
[07:40.640 --> 07:45.040]  I totally understand that. So what's your everyday carry kit look like?
[07:45.940 --> 07:50.220]  Good question. I mean, I am incredibly disorganized.
[07:50.220 --> 07:56.460]  So to think that I have an everyday carry kit is a bit of gratuitous to me.
[07:56.580 --> 08:06.440]  But, you know, if I'm anticipating needing to potentially get through a door, it's like, well, in that case, I'm carrying a much larger kit than what would be everyday carry.
[08:06.440 --> 08:09.940]  If I'm anticipating, well, maybe needing it, but probably not.
[08:10.760 --> 08:15.200]  You know, I might have a rake and a tension wrench, real simple.
[08:15.200 --> 08:21.240]  That's all the picking equipment for poking the latch out of the way.
[08:21.540 --> 08:24.260]  So like a shove knife for latch bypass.
[08:24.480 --> 08:35.420]  What I've got on my key ring is a little wire that's just an L-shaped end of wire that I can whip out and do that on any lock that I might encounter.
[08:35.420 --> 08:37.120]  So I've got that.
[08:37.820 --> 08:39.340]  And really that's about it.
[08:39.340 --> 08:41.400]  I don't carry a whole lot else with me.
[08:41.400 --> 08:49.740]  And I find that in many cases, if you can't improvise, it's not worth taking that particular approach in an everyday situation.
[08:50.940 --> 09:07.700]  I know there's a lot of discussion in the community, at least in the lock picking community, of most of what we do for fun as locksporters isn't all that practical out in the world trying to be a locksmith.
[09:08.060 --> 09:16.080]  At least from what I've heard, and maybe you'll either confirm this or tear this down.
[09:16.080 --> 09:28.840]  But if you're faced with a lock, it's usually going to be easier to attack the mechanism that holds the door together or get in through a window or etc.
[09:29.920 --> 09:31.700]  Oh yeah, absolutely.
[09:31.700 --> 09:36.340]  I mean, a large part of it is sort of not just hacking, but ethical hacking.
[09:36.660 --> 09:43.120]  It's like if our goal is to get into a facility, we're sort of balancing a number of objectives here.
[09:43.120 --> 09:52.140]  How much do we care about how long it takes us to get in? How much do we care about the damage that we do, the noise that we make, the forensic evidence that we leave behind, etc.
[09:52.200 --> 09:58.020]  So you kind of pick and choose your techniques based on that. And then of course, there's a cost element, there's a skill element.
[09:58.020 --> 10:00.140]  So it's pretty multi-dimensional in that regard.
[10:00.660 --> 10:11.560]  And the vast majority of practical cases, what we see in security consulting, is you're protecting against forcible, you're protecting against very, very, very basic bypasses.
[10:11.560 --> 10:14.320]  And that's about it, and that's what your threat model is.
[10:14.620 --> 10:26.400]  And so I think in some regard, the focus of the hacker community on ethical hacking has done somewhat a disservice for the blue team because they are protecting against the wrong threat model.
[10:27.520 --> 10:37.960]  And so you see that a lot with the forcible entry being really downplayed in terms of its impact on physical security.
[10:41.160 --> 10:48.960]  I like that as a thought. That's really interesting of talking about training the blue team maybe to not...
[10:50.520 --> 10:58.980]  The things that people in the outside world are going to hit you with might not be the same things that we as the hobbyists are going to hit you with.
[11:00.640 --> 11:16.180]  Do you have a specific example of something that is more realistic in the real world that a blue team might encounter as far as physical security protection goes that isn't normally tested or advocated for in these kind of talks, that kind of thing?
[11:17.840 --> 11:26.920]  Yeah, I mean if you... let's take a simple example. You're a mom and pop shop and you want to protect your store.
[11:27.900 --> 11:35.720]  If you go to... many police departments will do a very simple free security audit for you.
[11:35.720 --> 11:41.000]  And they know very well what the threat model is, and so they're recommending things like bars on the windows.
[11:41.760 --> 11:48.640]  If you go and ask many people in the hacker community to do a security audit, they're not going to think about things like that.
[11:48.640 --> 11:57.900]  They're going to try to use a fancy latch thumb turn bypass tool on the door and say, okay, you got to patch that up.
[11:57.900 --> 12:02.960]  And they might try some sort of electronic attack on your access control system.
[12:02.960 --> 12:13.480]  Sure, it's a vulnerability, but the sort of people that have the means and the motivation and the skills to perform those are not going to be breaking into their neighborhood mom and pop.
[12:13.480 --> 12:17.800]  Right. Matching the attacker to the threat model.
[12:18.100 --> 12:18.820]  Yeah.
[12:19.760 --> 12:26.100]  We got a question. Have you notified any security desks about the vulnerability of having their keys visible?
[12:27.860 --> 12:30.980]  Can you say the first part again? Have I notified them?
[12:30.980 --> 12:42.180]  Yeah. Has it been an actionable report or just informed them, like, hey, you've got your security keys on your ring and I can see them and that's a problem?
[12:42.180 --> 12:48.140]  Oh, absolutely. Yeah. It's one of the standard things we check for with any security audit.
[12:48.440 --> 12:52.560]  The biggest time that we see this is with multi-unit residential.
[12:52.560 --> 12:55.440]  If you've got a concierge desk, we leave that lying out.
[12:55.440 --> 13:02.720]  And it's a really simple human factors thing, right? So you just create, you know, put a little box there that they can put it in that shields it from public view.
[13:02.980 --> 13:13.220]  And that little box then can be self-locking. So if they have to walk away and handle something, that's not then left out there for anyone to see or take or whatnot.
[13:13.220 --> 13:19.200]  And we've seen some pretty egregious cases of that being breached when you don't have good human factor design in that regard.
[13:21.500 --> 13:32.020]  So first off, the tool that you showed off throughout the entirety of your talk, is that already available? Is that something that other people can see and use?
[13:32.800 --> 13:38.220]  Yes, it is. Yeah, so that's online at a number of links that I've posted in my talk.
[13:38.220 --> 13:50.520]  So you can find the source code on my GitHub. And tinyurl.com slash key dash space will link you to a version that you can run right in your web browser.
[13:50.880 --> 13:52.220]  That's awesome.
[13:52.340 --> 13:58.400]  We can share that in the track one channel here at the end if that's cool with everybody.
[13:58.400 --> 14:10.420]  So with that tool, it starts out with a pretty brute force approach and you start adding on these layers of knowledge.
[14:11.160 --> 14:18.660]  There was a lot of pieces of knowledge. Is that something that you just picked up through your experience?
[14:18.680 --> 14:27.260]  Or is this just like you just aggressively compiled all this information from everyone that you knew just to put this tool together?
[14:28.740 --> 14:36.580]  That's a great question. I'd say that a lot of it is experience just talking to people.
[14:36.580 --> 14:43.000]  The sort of thing that, again, that kind of tribal knowledge that exists in locksmithing communities, for instance.
[14:43.000 --> 14:51.780]  So we're fairly good friends with a number of locksmiths and so we chat with them about all sorts of stuff like this and get information there.
[14:51.780 --> 14:58.420]  And then a lot of it, when you kind of crunch the numbers and understand the mathematics behind how keying systems actually operate.
[14:58.460 --> 15:03.040]  At that point, you can formally model them with a number of mathematical constructs.
[15:03.040 --> 15:06.400]  And from that, these rules become a corollary of that.
[15:06.400 --> 15:10.600]  So a lot of it can be derived independently.
[15:11.400 --> 15:15.740]  And so, for instance, the rights amplification attack.
[15:15.740 --> 15:20.960]  So we derive that independently and then determine that actually this has been published about before as well.
[15:20.960 --> 15:23.220]  And it's been known in the locksmithing community.
[15:23.220 --> 15:31.160]  So it's the sort of thing that a lot of people have thought about, but hasn't until relatively recently been published widely.
[15:32.040 --> 15:37.300]  And to my knowledge, it's the first time that there's a computational tool for analyzing it.
[15:37.760 --> 15:38.960]  That's awesome.
[15:40.100 --> 15:42.140]  So we've got another question.
[15:42.140 --> 15:47.560]  Have you had any experience with working with life locks at any military contractor facilities?
[15:49.480 --> 15:51.540]  The answer is no.
[15:51.540 --> 15:55.420]  I will actually ask for clarification on what is a life lock.
[15:55.420 --> 15:56.880]  I don't know either.
[15:57.820 --> 16:03.500]  Hawkeye Denk, if you're still watching, you've got us all intrigued what a life lock is.
[16:05.520 --> 16:11.140]  I guess I'll bump back to your tool a little bit while we're waiting to hear back from Hawkeye.
[16:14.420 --> 16:16.660]  I totally blanked on my question.
[16:16.660 --> 16:18.300]  You got me.
[16:18.400 --> 16:19.840]  No, you're good.
[16:19.840 --> 16:24.880]  So your talk is quite long, and thank you for that.
[16:24.880 --> 16:37.040]  And actually, if anybody is out there looking forward to watching this, he or someone was nice enough to go through and nicely index all of the timestamps on that.
[16:38.520 --> 16:39.580]  Yeah, that was me.
[16:39.580 --> 16:43.100]  So, yeah, thank you for that.
[16:43.100 --> 16:49.280]  There was some... you mentioned some code books in there.
[16:49.280 --> 16:56.840]  And I get the impression there were some legal, possibly ethical implications of having that information available.
[16:56.840 --> 17:04.340]  Could you talk to that a little bit of any solutions that you're working on on trying to make that more accessible?
[17:04.920 --> 17:05.840]  Absolutely, yeah.
[17:05.840 --> 17:13.220]  So as far as code books are concerned, I mean, there's hundreds... well, there's thousands of them out there.
[17:13.220 --> 17:16.980]  There's hundreds that are common to see examples of in the wild.
[17:17.700 --> 17:24.360]  You know, everything from... I mean, any standard key system that has generally numbers associated with it.
[17:24.360 --> 17:27.420]  So you might have heard of common keys like 1284x.
[17:27.420 --> 17:29.080]  Well, that's part of a series.
[17:29.560 --> 17:32.040]  0151x, which you looked at in the talk, is another part of that series.
[17:32.040 --> 17:34.780]  And then there's 1700 others in it.
[17:35.340 --> 17:39.240]  C415a, so there's your national cabinet keying set.
[17:39.240 --> 17:42.740]  There's about 600 in the A series, as well as there's a B and a C.
[17:43.260 --> 17:45.680]  And there's hundreds of others like that.
[17:45.680 --> 17:48.740]  Medeco, non-mastered systems have code books as well.
[17:48.940 --> 17:58.620]  So this is a lot of data that's being compiled by a number of services out there, the most well-known of which is Instacode.
[17:58.620 --> 18:10.200]  So anyone that's looking for that information on a case-by-case basis can get a subscription to that and look up what is C415a, what's the bidding of that.
[18:10.200 --> 18:12.700]  You can't download the entire data set for that.
[18:12.700 --> 18:14.620]  We happen to have the entire data set.
[18:14.620 --> 18:20.100]  It's not licensed in a manner that we can then release it freely, unfortunately.
[18:20.100 --> 18:34.220]  One thing that I'm toying with to make that actually happen is create a crowdsourced platform so people can, if they have access to that information in a way that they're not constrained by the license, they can upload it.
[18:34.340 --> 18:44.680]  And then we can create a compendium of that, as well as I'm going to be adding back into the app a way to import that data, if you happen to have it, through whatever reason or whatever source.
[18:44.680 --> 18:46.380]  And then you can analyze it that way.
[18:47.240 --> 18:49.600]  So yeah, I'm working on a workaround for that.
[18:50.720 --> 18:51.900]  Yeah, go ahead.
[18:51.900 --> 18:56.860]  Just like spitballing, could that kind of crowdsourcing happen at a finer-grained level?
[18:56.860 --> 19:02.960]  Like, I have this style of key, it's got this numeric thing on it, and here's the bidding thing.
[19:02.960 --> 19:09.720]  Could that just be crowdsourced that way instead of fully wholesaling uploading the book?
[19:10.700 --> 19:12.080]  It absolutely could be.
[19:13.580 --> 19:19.200]  That is a little bit trickier when you intersect that with doing the analysis with this software.
[19:19.200 --> 19:30.520]  Because now it's like, if I have a photo of a key that I think is in this series, and I say I want to limit my key space to only what's in that series, if I don't have a complete series, I'm going to get a wrong answer there.
[19:31.300 --> 19:41.180]  So it does create a bit of a challenge with that, which is why there's value in that information that the codebook you've uploaded is complete.
[19:42.140 --> 19:52.460]  But for someone that just wants to do a task like look up a particular indirect bidding code to get the direct one, that would absolutely be valuable for that.
[19:54.240 --> 20:04.180]  So Hawkeye did get back to us. A life lock is a fail-secure combo lock. It can be spun to keep any further attempts to open occurring.
[20:06.790 --> 20:12.790]  Interesting. So is it the sort of thing where you can spin it to permanently disable lock if something's happening?
[20:12.790 --> 20:15.510]  That sounds like exactly what it is.
[20:15.870 --> 20:26.850]  That's a cool concept. I haven't actually worked on any of those before. I'm interested to look it up and see if there's any fun analytics we can do with that.
[20:27.610 --> 20:45.570]  So Hawkeye, if you have any examples of these that you would like to talk further about, this would be a good opportunity to send some messages over to Bill and DM and maybe there's some interesting future research at play there.
[20:45.830 --> 20:53.970]  Which is actually probably a good question to go to. What's your future research? Where are you going next with this project?
[20:54.890 --> 21:04.430]  That's a great question. So there's a number of dimensions of that research, which is applying these general methodologies to combination locks.
[21:04.790 --> 21:11.150]  So a lot of the same thing can be used if you can get any little bit of information out of, say, a safe dial.
[21:11.610 --> 21:20.130]  So very, very skilled people can listen to the clicks and determine what that means. Can we use a computer to make that accessible to a wider audience?
[21:21.080 --> 21:28.370]  That's something that I'm currently working on and will be submitting to DEF CON in future years once that's complete.
[21:28.370 --> 21:37.950]  Another dimension is tying it into the talk that I gave last year about keyways and the shape of the keys.
[21:38.370 --> 21:47.330]  And so we can combine those two and really get a good sense of, from a photo, being able to disambiguate that.
[21:47.330 --> 21:52.110]  And so tying those two pieces in as well.
[21:55.920 --> 21:57.170]  Cool. That's awesome.
[21:58.140 --> 22:11.040]  Hawk, I came back to mention that he's seen them but is not able to show pics because of policy discouraging that, which is probably expected.
[22:12.420 --> 22:20.560]  So you will share all of your contact information so people can reach out to you, I'm assuming.
[22:20.560 --> 22:24.200]  And you are active in some of the other communities here.
[22:24.200 --> 22:31.800]  Would you tell us a little bit about the Lock Bypass Village and some of what you do over there?
[22:32.680 --> 22:33.880]  Yeah, for sure.
[22:33.880 --> 22:37.520]  So as I mentioned, last year was our first year at DEF CON.
[22:37.520 --> 22:46.540]  And so we had a whole bunch of little doors, two feet tall, that had different types of hardware within them.
[22:46.540 --> 23:01.340]  We had a car door there and some components from elevators, some components from intercom systems that people could then try and do these physical security hacks on.
[23:01.660 --> 23:06.820]  And we were packed right up to fire code the entire time. People really loved doing that.
[23:07.660 --> 23:13.740]  And so this year, of course, with Safe Mode, what we've done is taken what we could and made online games for it.
[23:13.860 --> 23:20.980]  So you can go online to bypassvillage.org, you can practice rewiring alarms to disable them at the comms line,
[23:20.980 --> 23:29.680]  you can practice using UBINC to bypass combination locks, practice using shoved knives to disable latches on doors,
[23:29.680 --> 23:33.240]  and a whole bunch of other stuff that we've bought little mini-games for.
[23:36.820 --> 23:40.340]  I crashed the Village last year and I loved what I saw.
[23:40.340 --> 23:44.020]  The one thing that I don't know if I just missed it or if it wasn't there.
[23:44.040 --> 23:51.780]  If you can add something about the magnetic door locking things, I would love to see somebody.
[23:52.380 --> 23:56.880]  Yeah, we're planning to have a whole big exhibit on that this year.
[23:56.880 --> 24:02.220]  And then RON-EV happens, so that will absolutely be there for you to see next year.
[24:02.220 --> 24:04.080]  I look forward to it.
[24:05.000 --> 24:10.560]  Was there anything that you felt like you just couldn't fit into your talk?
[24:10.560 --> 24:17.380]  Some piece of your tool or something else that you wanted to go over that was just fascinating for you but just got the cut?
[24:19.000 --> 24:20.680]  Oh my gosh, there was so much.
[24:22.180 --> 24:27.220]  I mean, I did the initial talk and thought, oh man, an hour 45, this is great, I can cover everything.
[24:27.220 --> 24:29.600]  And then I had to cut it down to three hours.
[24:31.820 --> 24:38.200]  So, I mean, one interesting thing that those who are mathematically inclined will be interested to play around with
[24:38.200 --> 24:43.780]  is there's a separate related tool that will take, if you have a system of locks, you know what your shear lines are.
[24:43.800 --> 24:49.620]  It will generate a relationship graph for all the different low-level keys, master keys, and the top-level master
[24:49.620 --> 24:52.100]  for which key will work in which lock.
[24:52.100 --> 25:01.020]  And you get some really neat emergent mathematical properties from that using different mastering systems.
[25:01.020 --> 25:04.180]  So that's something that is up on my GitHub right now.
[25:04.180 --> 25:09.820]  I will send a link as soon as I can hop over to the track one talk page.
[25:09.820 --> 25:12.520]  I'll send a link to an active version you can play with.
[25:13.440 --> 25:16.760]  So that's one of many things.
[25:16.760 --> 25:22.240]  Did you use that to generate a key diagram in your talk at one point?
[25:22.260 --> 25:28.360]  Because there was a grandmaster master key tree effect.
[25:28.360 --> 25:33.100]  So that one was not auto-generated.
[25:33.320 --> 25:39.060]  The auto-generated ones are not nearly as well-behaved as what I showed in the talk.
[25:39.120 --> 25:40.900]  I manually made that one.
[25:41.980 --> 25:44.620]  But what the auto-generated ones look like is...
[25:44.620 --> 25:51.400]  One thing to consider with keying hierarchies is if I do the mastering on pins 1, 2, 3, 4, and 5,
[25:51.400 --> 25:55.500]  if I have a master in pin 3, 4, 5 like in the example that I showed,
[25:55.500 --> 25:59.400]  that's what a typical submaster key would look like.
[25:59.400 --> 26:03.920]  I could also put a master in pins 1 and 2 and then change keys in pins 3, 4, and 5.
[26:03.920 --> 26:11.700]  And so now I have a master key that's going to work on selectively some locks in the A, B, and C system and not others.
[26:11.700 --> 26:20.900]  And so you actually have this n-dimensional tesseract that's created from doing up master keys in that regard.
[26:21.040 --> 26:29.040]  And there's another type of system called rotating constant system that creates incredibly complex relationship graphs there.
[26:29.440 --> 26:31.800]  That's absolutely awesome.
[26:31.800 --> 26:34.260]  We are right almost out of time.
[26:34.260 --> 26:37.440]  I love the question that Panopticon just asked, though.
[26:37.440 --> 26:41.160]  Would you consider posting the director's cut version of your talk?
[26:43.100 --> 26:45.660]  Yeah, I actually gave a thought to that.
[26:45.660 --> 26:52.840]  I think what I'll do is break it up into bite-sized pieces and post a number of separate videos
[26:52.840 --> 26:58.540]  talking about the different elements that I didn't get time to discuss in the main talk.
[26:58.540 --> 27:03.540]  I just created a whole bunch of social media once this talk was accepted.
[27:03.540 --> 27:05.320]  I should probably make a Twitter, so I made that.
[27:05.320 --> 27:14.580]  I made a YouTube channel as well, so that's the Bert and Liam channel that's been commenting on my talk there.
[27:14.760 --> 27:18.440]  That's for me and my brother, or Robert and William.
[27:18.680 --> 27:22.600]  Well, Bert and Liam, that's also a valid shorthand for that.
[27:23.200 --> 27:27.860]  Take a look at that, and whenever I have time after all the chaos of DEF CON comes down,
[27:27.860 --> 27:31.300]  I'll be posting some bite-sized videos in there.
[27:31.360 --> 27:34.320]  Awesome. Well, thank you for doing our QA session.
[27:34.320 --> 27:36.940]  Thank you for doing such a fantastic talk.
[27:37.280 --> 27:39.300]  Hope to see you again next year.
[27:40.840 --> 27:42.860]  Thank you so much.
[27:43.200 --> 27:46.040]  There's plenty more that we all want to hear from you.
[27:46.040 --> 27:54.800]  For anybody who would like to know more, it sounds like you can track Bill down in the Lock Bypass Village.
[27:55.460 --> 27:58.320]  There's more information over there for you to learn as well.
[27:58.440 --> 27:59.960]  Thank you very much.
[28:00.400 --> 28:06.180]  I'll be lurking in the Q&A page or chat for the next few minutes as well.
[28:06.180 --> 28:07.100]  Perfect.
[28:07.240 --> 28:08.360]  Excellent.
[28:08.860 --> 28:09.520]  Cheers.
[28:09.520 --> 28:10.580]  Thank you so much.
